We've found some security issues in the Thunderbird to display the wrong email sender to the recipient
Categories
(Thunderbird :: Security, defect)
Tracking
(Not tracked)
People
(Reporter: mjr2000, Unassigned)
References
Details
Attachments
(1 file)
|
417.44 KB,
application/x-zip-compressed
|
Details |
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.0.0
Steps to reproduce:
Firstly, we set up our email-sending server and selected various email service providers to receive emails we sent.
Secondly, we sent some emails with an irregular From field in the email header to target accounts, with some of them successfully entering the inbox.
Thirdly, we utilized Thunderbird to check these emails and found that it showed the wrong email author, just as we expected.
Actual results:
Some fake emails were displayed wrongly on Thunderbird, which can deceive the recipients into trusting these fake emails.
Expected results:
We hope that Thunderbird can help mitigate these attacks.
|
||
Comment 1•9 months ago
|
||
Thanks for the report!
Thunderbird doesn't yet support DKIM (see bug 1675449) on the client side. It can't control what messages the servers accept or reject based on such headers.
Also note, only using the first header is required for certain headers such as From. See RFC 5322 section 3.6 for min-max number for a given header.
Will have to check closer, but mostly your report seems about techniques to evade DKIM (etc.) checks on the server.
Description
•